Heartbleed Attack Lab

Overview

The Heartbleed bug (CVE-2014-0160) is a severe implementation flaw in the OpenSSL library, which enables attackers to steal data from the memory of the victim server. The contents of the stolen data depend on what is there in the memory of the server. It could potentially contain private keys, TLS session keys, user names, passwords, credit cards, etc. The vulnerability is in the implementation of the Heartbeat protocol, which is used by SSL/TLS to keep the connection alive.

The objective of this lab is for students to understand how serious this vulnerability is, how the attack works, and how to fix the problem. The affected OpenSSL version range is from 1.0.1 to 1.0.1f. The version in our Ubuntu VM is 1.0.1.

Lab Tasks

• VM version: This lab has been tested on our pre-built SEEDUbuntu12.04 VM.

Recommended Time

• Supervised situation (e.g. a closely-guided lab session):
• Unsupervised situation (e.g. take-home project):

Videos (New)

• This topic is covered in my Udemy course: Internet Security: A Hands-on Approach.
• If you are in Mainland China, you can access the same course from the NetEase platform.

Files that are Needed

• attack.py

Suggested Reading

• SEED Book by Wenliang Du (Book website) (Chinese version)

SEED Labs

• Home Page

SEED Books

• The 2nd Edition

SEED Lectures

• Udemy Courses